platform_system_sepolicy/private/traced_probes.te

# Perfetto tracing probes, has tracefs access.
type traced_probes_exec, system_file_type, exec_type, file_type;
type traced_probes_tmpfs, file_type;

# Allow init to exec the daemon.
init_daemon_domain(traced_probes)
tmpfs_domain(traced_probes)

# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(traced_probes)

# Allow traced_probes to access tracefs.
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;

# TODO(primiano): temporarily I/O tracing categories are still
# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
')

# Allow traced_probes to start with a higher scheduling class and then downgrade
# itself.
allow traced_probes self:global_capability_class_set { sys_nice };

# Allow procfs access
r_dir_file(traced_probes, domain)

# Allow to temporarily lift the kptr_restrict setting and build a symbolization
# map reading /proc/kallsyms.
userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
allow traced_probes proc_kallsyms:file r_file_perms;

# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;

# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;

# Allow traced_probes to list the system partition.
allow traced_probes system_file:dir { open read };

# Allow traced_probes to list some of the data partition.
allow traced_probes self:global_capability_class_set dac_read_search;

allow traced_probes apk_data_file:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
userdebug_or_eng(`
# search and getattr are granted via domain and coredomain, respectively.
allow traced_probes system_data_file:dir { open read };
')
allow traced_probes system_app_data_file:dir { getattr open read search };
allow traced_probes backup_data_file:dir { getattr open read search };
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };

# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
domain_auto_trans(traced_probes, atrace_exec, atrace);

# Allow traced_probes to kill atrace on timeout.
allow traced_probes atrace:process sigkill;

# Allow traced_probes to access /proc files for system stats.
# Note: trace data is NOT exposed to anything other than shell and privileged
# system apps that have access to the traced consumer socket.
allow traced_probes {
  proc_meminfo
  proc_vmstat
  proc_stat
}:file r_file_perms;

# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
hal_client_domain(traced_probes, hal_power_stats)

# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
hal_client_domain(traced_probes, hal_atrace)

# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')

###
### Neverallow rules
###
### traced_probes should NEVER do any of this

# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced_probes self:process execmem;

# Block device access.
neverallow traced_probes dev_type:blk_file { read write };

# ptrace any other app
neverallow traced_probes domain:process ptrace;

# Disallows access to /data files.
neverallow traced_probes {
  data_file_type
  -apk_data_file
  -dalvikcache_data_file
  -system_data_file
  -system_data_root_file
  -system_app_data_file
  -backup_data_file
  -bootstat_data_file
  -update_engine_data_file
  -update_engine_log_data_file
  -user_profile_root_file
  -user_profile_data_file
  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
  # subsequent neverallow. Currently only getattr and search are allowed.
  -vendor_data_file
  -zoneinfo_data_file
  with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes {
  data_file_type
  -zoneinfo_data_file
  -packages_list_file
  with_native_coverage(`-method_trace_data_file')
}:file *;

# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
neverallow * traced_probes:process dyntransition;